Name: ipsec-tools
Version: 0.7.3
Release: 4%{?dist}
Summary: Tools for configuring and using IPSEC
License: BSD
Group: System Environment/Base
URL: http://ipsec-tools.sourceforge.net/
Source: ftp://ftp.netbsd.org/pub/NetBSD/misc/ipsec-tools/0.7/ipsec-tools-%{version}.tar.bz2
Source1: racoon.conf
Source2: psk.txt
Source3: p1_up_down
Source4: racoon.init
Source5: racoon.pam
Patch3: ipsec-tools-0.7-acquires.patch
Patch4: ipsec-tools-0.7.1-loopback.patch
# the following patches were also submitted upstream:
Patch5: ipsec-tools-0.7-iface.patch
Patch6: ipsec-tools-0.7-dupsplit.patch
Patch9: ipsec-tools-0.7-splitcidr.patch
Patch10: ipsec-tools-0.7.2-natt-linux.patch
Patch11: ipsec-tools-0.7.1-pie.patch
Patch13: ipsec-tools-0.7.1-dpd-fixes.patch
Patch14: ipsec-tools-0.7.2-moreleaks.patch
Patch15: ipsec-tools-0.7.3-aliasing.patch
Patch16: ipsec-tools-0.7.2-nodevel.patch
Patch17: ipsec-tools-0.7.3-gssapi-guard.patch
Patch18: ipsec-tools-0.7.3-gssapi-mech.patch
BuildRequires: openssl-devel, krb5-devel, bison, flex, automake, libtool
BuildRequires: libselinux-devel >= 1.30.28-2, pam-devel
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: initscripts >= 7.31.11.EL-1, pam
BuildRequires: audit-libs-devel >= 1.3.1
%global racoonconfdir %{_sysconfdir}/racoon
%description
This is the IPsec-Tools package. You need this package in order to
really use the IPsec functionality in the linux-2.5+ kernels. This
package builds:
- setkey, a program to directly manipulate policies and SAs
- racoon, an IKEv1 keying daemon
%prep
%setup -q
%patch3 -p1 -b .acquires
%patch4 -p1 -b .loopback
%patch5 -p1 -b .iface
%patch6 -p1 -b .dupsplit
%patch9 -p1 -b .splitcidr
%patch10 -p1 -b .natt-linux
%patch11 -p1 -b .pie
%patch13 -p1 -b .dpd-fixes
%patch14 -p1 -b .moreleaks
%patch15 -p1 -b .review
%patch16 -p1 -b .nodevel
%patch17 -p1 -b .gssapi-guard
%patch18 -p1 -b .gssapi-mech
./bootstrap
%build
source /etc/profile.d/krb5-devel.sh
sed -i 's|-Werror||g' configure
LDFLAGS="-Wl,--as-needed"
export LDFLAGS
%configure \
--with-kernel-headers=/usr/include \
--sysconfdir=%{racoonconfdir} \
--without-readline \
--enable-adminport \
--enable-hybrid \
--enable-frag \
--enable-dpd \
--enable-gssapi \
--enable-natt \
--enable-security-context \
--enable-audit \
--with-libpam
make
%install
rm -rf $RPM_BUILD_ROOT
mkdir -p $RPM_BUILD_ROOT/sbin
mkdir -p $RPM_BUILD_ROOT%{racoonconfdir}
make install DESTDIR=$RPM_BUILD_ROOT
install -m 600 %{SOURCE1} \
$RPM_BUILD_ROOT%{racoonconfdir}/racoon.conf
install -m 600 %{SOURCE2} \
$RPM_BUILD_ROOT%{racoonconfdir}/psk.txt
mv $RPM_BUILD_ROOT%{_sbindir}/setkey $RPM_BUILD_ROOT/sbin
mkdir -m 0700 -p $RPM_BUILD_ROOT%{racoonconfdir}/certs
mkdir -m 0700 -p $RPM_BUILD_ROOT%{racoonconfdir}/scripts
install -m 700 %{SOURCE3} \
$RPM_BUILD_ROOT%{racoonconfdir}/scripts/p1_up_down
install -D -m755 %{SOURCE4} $RPM_BUILD_ROOT%{_initrddir}/racoon
install -D -m644 %{SOURCE5} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/racoon
%clean
rm -rf $RPM_BUILD_ROOT
%post
if [ $1 = 1 ]; then
chkconfig --add racoon
fi
%preun
if [ $1 = 0 ]; then
service racoon stop > /dev/null 2>&1
/sbin/chkconfig --del racoon
fi
%files
%defattr(-,root,root)
%doc src/racoon/samples/racoon.conf src/racoon/samples/psk.txt
%doc src/racoon/doc/FAQ
%doc ChangeLog NEWS README
/sbin/*
%{_sbindir}/*
%{_mandir}/man*/*
%{_initrddir}/racoon
%dir %{racoonconfdir}
%{racoonconfdir}/scripts/*
%dir %{racoonconfdir}/certs
%dir %{racoonconfdir}/scripts
%dir %{_localstatedir}/racoon
%config(noreplace) %{racoonconfdir}/psk.txt
%config(noreplace) %{racoonconfdir}/racoon.conf
%config(noreplace) %{_sysconfdir}/pam.d/racoon
%changelog
* Fri Sep 25 2009 Tomas Mraz <tmraz@redhat.com> - 0.7.3-4
- properly check for errors on gssapi_get_token_to_send()
- use proper mechanism when canonicalizing gss names
- use password-auth common PAM configuration instead of system-auth
* Fri Aug 21 2009 Tomas Mraz <tmraz@redhat.com> - 0.7.3-3
- rebuilt with new openssl
* Wed Aug 19 2009 Tomas Mraz <tmraz@redhat.com> - 0.7.3-2
- enable xauth over PAM (#470793)
- add TMPDIR setting to the p1_up_down script
* Tue Aug 18 2009 Tomas Mraz <tmraz@redhat.com> - 0.7.3-1
- update to a new upstream version
- fix service stop in preun (#515880)
* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.7.2-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
* Wed Jul 15 2009 Tomas Mraz <tmraz@redhat.com> - 0.7.2-2
- fix FTBFS (#511556)
- fix some memory leaks and compilation warnings found by review
* Thu Apr 23 2009 Tomas Mraz <tmraz@redhat.com> - 0.7.2-1
- Update to a new upstream version
* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.7.1-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
* Thu Jan 15 2009 Tomas Mraz <tmraz@redhat.com> - 0.7.1-7
- rebuild with new openssl
* Mon Nov 10 2008 Tomas Mraz <tmraz@redhat.com> - 0.7.1-6
- fix patch porting error in the dpd-fixes patch (#470575)
* Fri Oct 17 2008 Tomas Mraz <tmraz@redhat.com> - 0.7.1-5
- fix CVE-2008-3652 (memory leak DoS)
- compile racoon as PIE
- another fix for teardown of the IPSEC SAs on DPD in some circumstances
* Sun Aug 10 2008 Tomas Mraz <tmraz@redhat.com> - 0.7.1-4
- Even better fix for IPSEC SA purging avoiding code duplication
(original idea by Darrel Goeddel)
* Fri Aug 8 2008 Tomas Mraz <tmraz@redhat.com> - 0.7.1-3
- Fix IPSEC SA purge with NAT_T enabled
* Wed Jul 30 2008 Tomas Mraz <tmraz@redhat.com> - 0.7.1-2
- Different approach to allow racoon to add loopback SAs for
labeled IPSec (without ISAKMP)
* Tue Jul 29 2008 Tomas Mraz <tmraz@redhat.com> - 0.7.1-1
- Update to a new upstream version
* Thu Feb 28 2008 Steve Conklin <sconklin@redhat.com> - 0.7-13
- Resolves bz#273261 remote-access client connection to Cisco ASA
* Mon Feb 25 2008 Steve Conklin <sconklin@redhat.com> - 0.7-12
- And again
* Mon Feb 25 2008 Steve Conklin <sconklin@redhat.com> - 0.7-11
- Messed that up, bumping
* Mon Feb 25 2008 Steve Conklin <sconklin@redhat.com> - 0.7-10
- Added upstream patch to fix ipv6 cookie alen
* Thu Feb 14 2008 Steve Conklin <sconklin@redhat.com> - 0.7-9
- rebuild for gcc4.3
* Wed Dec 19 2007 Steve Conklin <sconklin@redhat.com> - 0.7-8
- sourced krb5-devel.sh to set path
* Tue Dec 18 2007 Steve Conklin <sconklin@redhatcom> - 0.7-7
- bumped for retag
* Tue Dec 18 2007 Steve Conklin <sconklin@redhat.com> - 0.7-6
- Added a patch for context size change
- Resolves #413331 racoon dies with buffer overflow in MCS/MLS loopback
* Fri Dec 7 2007 Steve Conklin <sconklin@redhat.com> - 0.7-5
- Bump for retagging
* Fri Dec 7 2007 Steve Conklin <sconklin@redhat.com> - 0.7-4
- Rebuild for dependencies
* Thu Sep 20 2007 Steve Conklin <sconklin@redhat.com> - 0.7-3
- Applied the following patches from Gabriel Somlo
- Patches for connecting to Cisco ASA in remote-access (road-warrior) mode
- Added phase1_up_down mode config script
- Including our own .h files (ipsec, pfkeyv2, xfrm, udp) no longer necessary
- Added init script for racoon daemon
* Tue Aug 28 2007 Steve Conklin <sconklin@redhat.com> - 0.7-2
- Fixed the loopback patch
* Tue Aug 28 2007 Steve Conklin <sconklin@redhat.com> - 0.7-1
- Rebase to upstream 0.7
* Mon Apr 23 2007 Steve Grubb <sgrubb@redhat.com> - 0.6.5-8
- Upstream fix for Racoon DOS, informational delete must be encrypted
- Resolves: rhbz#235388 - CVE-2007-1841 ipsec-tools racoon DoS
* Fri Apr 20 2007 Steve Grubb <sgrubb@redhat.com> - 0.6.5-7
- Resolves: #218386 labeled ipsec does not work over loopback
* Mon Apr 16 2007 Steve Grubb <sgrubb@redhat.com> - 0.6.5-6.6
- Related: #232508 add auditing to racoon
* Sat Apr 14 2007 Steve Grubb <sgrubb@redhat.com> - 0.6.6-6%{?dist}
- Resolves: #235680 racoon socket descriptor exhaustion
* Fri Apr 13 2007 Steve Grubb <sgrubb@redhat.com> - 0.6.6-4%{?dist}
- Resolves: #236121 increase buffer for context
- Resolves: #234491 kernel sends ACQUIRES that racoon is not catching
- Resolves: #218386 labeled ipsec does not work over loopback
* Tue Mar 20 2007 Harald Hoyer <harald@redhat.com> - 0.6.6-3%{?dist}
- fix for setting the security context into a
proposal (32<->64bit) (rhbz#232508)
* Wed Jan 17 2007 Harald Hoyer <harald@redhat.com> - 0.6.6-1
- version 0.6.6
* Sun Oct 01 2006 Jesse Keating <jkeating@redhat.com> - 0.6.5-6
- rebuilt for unwind info generation, broken in gcc-4.1.1-21
* Mon Sep 25 2006 Harald Hoyer <harald@redhat.com> - 0.6.5-5
- added patch for selinux integration (bug #207159)
* Fri Aug 4 2006 Harald Hoyer <harald@redhat.com> - 0.6.5-4
- backport of important 0.6.6 fixes:
- sets NAT-T ports to 0 if no NAT encapsulation
- fixed memory leak
* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 0.6.5-3.1
- rebuild
* Wed Jun 21 2006 Harald Hoyer <harald@redhat.com> - 0.6.5-3
- more build requirements
* Tue Apr 18 2006 Dan Walsh <dwalsh@redhat.com> - 0.6.5-2
- Fix patch to build MLS Stuff correctly
* Tue Apr 18 2006 Dan Walsh <dwalsh@redhat.com> - 0.6.5-1
- Update to latest upstream version
- Add MLS Patch to allow use of labeled networks
- Patch provided by Joy Latten <latten@austin.ibm.com>
* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 0.6.4-1.1
- bump again for double-long bug on ppc(64)
* Tue Feb 07 2006 Harald Hoyer <harald@redhat.com> 0.6.4-1
- version 0.6.4
* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 0.6.3-1.2
- rebuilt for new gcc4.1 snapshot and glibc changes
* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
- rebuilt
* Mon Dec 05 2005 Harald Hoyer <harald@redhat.com> 0.6.3-1
- version 0.6.3, which contains fixes for various DoS problems
* Wed Nov 9 2005 Tomas Mraz <tmraz@redhat.com> 0.6.1-2
- rebuilt against new openssl
* Wed Oct 12 2005 Harald Hoyer <harald@redhat.com> 0.6.1-1
- version 0.6.1
* Mon Mar 28 2005 Bill Nottingham <notting@redhat.com> 0.5-4
- fix 64-bit issue in setph1attr() (<aviro@redhat.com>)
* Mon Mar 14 2005 Bill Nottingham <notting@redhat.com> 0.5-3
- add patch for DoS (CAN-2005-0398, #145532)
* Sat Mar 5 2005 Uwe Beck <ubeck@c3pdm.com> 0.5-2
- now racoon use /etc/racoon/racoon.conf as default
- add the /var/racoon directory for racoon.sock
* Wed Feb 23 2005 Bill Nottingham <notting@redhat.com> 0.5-1
- update to 0.5
* Thu Nov 4 2004 Bill Nottingham <notting@redhat.com> 0.3.3-2
- don't use new 0.3.3 handling of stdin in setkey; it breaks the
format (#138105)
* Mon Sep 27 2004 Bill Nottingham <notting@redhat.com> 0.3.3-1
- update to 0.3.3 (#122211)
* Sun Aug 08 2004 Alan Cox <alan@redhat.com> 0.2.5-6
- fix buildreqs (Steve Grubb)
* Mon Jun 28 2004 Nalin Dahyabhai <nalin@redhat.com> 0.2.5-5
- rebuild
* Fri Jun 25 2004 Nalin Dahyabhai <nalin@redhat.com> 0.2.5-4
- backport certificate validation fixes from 0.3.3 (#126568)
* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
- rebuilt
* Wed Apr 14 2004 Bill Nottingham <notting@redhat.com> - 0.2.5-2
- add patch for potential remote DoS (CAN-2004-0403)
* Tue Apr 6 2004 Bill Nottingham <notting@redhat.com>
- update to 0.2.5
* Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com>
- rebuilt
* Mon Feb 23 2004 Bill Nottingham <notting@redhat.com>
- update to 0.2.4, fix racoon install location (#116374, <kajtzu@fi.basen.net>)
* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
- rebuilt
* Mon Dec 8 2003 Bill Nottingham <notting@redhat.com> 0.2.2-8
- rebuild
* Fri Aug 29 2003 Bill Nottingham <notting@redhat.com> 0.2.2-7
- add fix for #103238
* Tue Aug 5 2003 Bill Nottingham <notting@redhat.com> 0.2.2-6
- update kernel interface bits, rebuild against them
* Tue Jul 29 2003 Bill Nottingham <notting@redhat.com> 0.2.2-5
- rebuild
* Wed Jul 2 2003 Bill Notitngham <notting@redhat.com> 0.2.2-4
- ship a much more pared-down racoon.conf and psk.txt
* Thu Jun 5 2003 Bill Notitngham <notting@redhat.com> 0.2.2-3
- update pfkey header for current kernels
* Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com>
- rebuilt
* Fri May 2 2003 Bill Nottingham <notting@redhat.com> 0.2.2-1
- update to 0.2.2
* Fri Mar 7 2003 Bill Nottingham <notting@redhat.com>
- initial build
